P
US11343231B2ActiveUtilityPatentIndex 56

Security context aware nano-segmentation for container based microservices

Assignee: VMWARE INCPriority: Jul 4, 2019Filed: Aug 22, 2019Granted: May 24, 2022
Est. expiryJul 4, 2039(~13 yrs left)· nominal 20-yr term from priority
Inventors:DESHPANDE PRAHALADBHALERAO NIKHILJADHAV ATULSHARMA ABHIJITRANJAN SHASHANK
H04L 63/0236H04L 63/20H04L 63/0263
56
PatentIndex Score
1
Cited by
26
References
20
Claims

Abstract

The present disclosure provides an approach for creating one or more firewall rules to regulate communication between containers. The approach includes calculating a trust score for each container. To generate a rule for any two containers, a difference between the trust scores is computed, and if the difference in trust levels is too large, then the more trustworthy container is not allowed to communicate with the less trustworthy container. If the difference in trust scores is not too large, then the trustworthy container is allowed to communicate with the other trustworthy container, or an untrustworthy container is allowed to communicate with another untrustworthy container.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method of generating or maintaining a firewall rule of a firewall of one or more computer systems, the one or more computer systems including a first container and a second container executing on one or more operating systems, wherein the first container comprises a first set of security attributes, and wherein the second container comprises a second set of security attributes, the method comprising:
 computing one or more first attribute trust scores of at least one of the first set of security attributes; 
 computing one or more second attribute trust scores of at least one of the second set of security attributes; 
 based on the one or more first attribute trust scores, computing a first workload trust score of the first container; 
 based on the one or more second attribute trust scores, computing a second workload trust score of the second container; 
 comparing the first workload trust score to the second workload trust score; and 
 based on the comparing, generating or maintaining a rule for the firewall to block or allow transmission of packets between the first container and the second container. 
 
     
     
       2. The method of  claim 1 , the method further comprising:
 transmitting a packet from the first container to the second container; 
 based on the rule, determining by the firewall whether to allow or block transmission of the packet; and 
 based on the determining, blocking or allowing transmission of the packet. 
 
     
     
       3. The method of  claim 1 , wherein the computing the first workload trust score comprises:
 comparing each score of the first attribute trust scores to an attribute threshold value to determine whether each attribute of the first set of security attributes is a trustworthy attribute; 
 adjusting at least one score of the first attribute trust scores by one or more weights; 
 based on the comparing, adjusting at least one score of the first attribute trust scores; and 
 summing each score of the first attribute trust scores. 
 
     
     
       4. The method of  claim 1 , wherein the first container is instantiated from a container image, the method further comprising, prior to the computing the first attribute trust scores, obtaining one or more signatures located within the container image, and wherein the computing the first attribute trust scores is performed using at least one of the one or more signatures or packet transmission information. 
     
     
       5. The method of  claim 1 , the method further comprising, prior to the computing the first attribute trust scores, obtaining an identifier of a source registry of the first container from which a container image of the first container originated, wherein the computing the first attribute trust scores is performed using at least the identifier. 
     
     
       6. The method of  claim 1 , the method further comprising, prior to the computing the first attribute trust scores, obtaining packet transmission information of the first container, wherein the computing the first attribute trust scores is performed using at least the packet transmission information. 
     
     
       7. The method of  claim 1 , wherein a first service runs from the first container, wherein the first container is instantiated from a container image, and wherein the container image comprises executable code, system tools, configurations, settings, system libraries, and file system of the first service. 
     
     
       8. The method of  claim 1 , the method further comprising:
 receiving, by the firewall, a packet from the first container, the second container, or a third container; 
 processing the packet to extract one or more packet attributes; 
 comparing the one or more packet attributes to the rule; and 
 based on the comparing, allowing or blocking transmission of the packet. 
 
     
     
       9. A non-transitory computer readable medium comprising instructions to be executed in a processor of one or more computer systems, the instructions when executed in the processor cause the one or more computer systems to carry out a method of generating or maintaining a firewall rule of a firewall of the one or more computer system, the one or more computer system including a first container and a second container executing on one or more operating systems, wherein the first container comprises a first set of security attributes, and wherein the second container comprises a second set of security attributes, the method comprising:
 computing one or more first attribute trust scores of at least one of the first set of security attributes; 
 computing one or more second attribute trust scores of at least one of the second set of security attributes; 
 based on the one or more first attribute trust scores, computing a first workload trust score of the first container; 
 based on the one or more second attribute trust scores, computing a second workload trust score of the second container; 
 comparing the first workload trust score to the second workload trust score; and 
 based on the comparing, generating or maintaining a rule for the firewall to block or allow transmission of packets between the first container and the second container. 
 
     
     
       10. The non-transitory computer readable medium of  claim 9 , the method further comprising:
 transmitting a packet from the first container to the second container; 
 based on the rule, determining by the firewall whether to allow or block transmission of the packet; and 
 based on the determining, blocking or allowing transmission of the packet. 
 
     
     
       11. The non-transitory computer readable medium of  claim 9 , wherein the computing the first workload trust score comprises:
 comparing each score of the first attribute trust scores to an attribute threshold value to determine whether each attribute of the first set of security attributes is a trustworthy attribute; 
 adjusting at least one score of the first attribute trust scores by one or more weights; 
 based on the comparing, adjusting at least one score of the first attribute trust scores; and 
 summing each score of the first attribute trust scores. 
 
     
     
       12. The non-transitory computer readable medium of  claim 9 , wherein the first container is instantiated from a container image, the method further comprising, prior to the computing the first attribute trust scores, obtaining one or more signatures located within the container image, and wherein the computing the first attribute trust scores is performed using at least one of the one or more signatures or packet transmission information. 
     
     
       13. The non-transitory computer readable medium of  claim 9 , the method further comprising, prior to the computing the first attribute trust scores, obtaining an identifier of a source registry of the first container from which a container image of the first container originated, wherein the computing the first attribute trust scores is performed using at least the identifier. 
     
     
       14. The non-transitory computer readable medium of  claim 9 , the method further comprising, prior to the computing the first attribute trust scores, obtaining packet transmission information of the first container, wherein the computing the first attribute trust scores is performed using at least the packet transmission information. 
     
     
       15. The non-transitory computer readable medium of  claim 9 , wherein a first service runs from the first container, wherein the first container is instantiated from a container image, and wherein the container image comprises executable code, system tools, configurations, settings, system libraries, and file system of the first service. 
     
     
       16. The non-transitory computer readable medium of  claim 9 , the method further comprising:
 receiving, by the firewall, a packet from the first container, the second container, or a third container; 
 processing the packet to extract one or more packet attributes; 
 comparing the one or more packet attributes to the rule; and 
 based on the comparing, allowing or blocking transmission of the packet. 
 
     
     
       17. One or more computer systems comprising:
 a firewall; 
 a first container comprising a first set of security attributes; 
 a second container comprising a second set of security attributes; 
 one or more operating systems, wherein the first container and the second container are executing on the one or more operating systems; and 
 at least one hardware processor, wherein the at least one hardware processor is programmed to carry out a method of generating or maintaining a firewall rule of the firewall, the method comprising:
 computing one or more first attribute trust scores of at least one of the first set of security attributes; 
 computing one or more second attribute trust scores of at least one of the second set of security attributes; 
 based on the one or more first attribute trust scores, computing a first workload trust score of the first container; 
 based on the one or more second attribute trust scores, computing a second workload trust score of the second container; 
 comparing the first workload trust score to the second workload trust score; and 
 based on the comparing, generating or maintaining a rule for the firewall to block or allow transmission of packets between the first container and the second container. 
 
 
     
     
       18. The computer system of  claim 17 , the method further comprising:
 transmitting a packet from the first container to the second container; 
 based on the rule, determining by the firewall whether to allow or block transmission of the packet; and 
 based on the determining, blocking or allowing transmission of the packet. 
 
     
     
       19. The computer system of  claim 17 , wherein the computing the first workload trust score comprises:
 comparing each score of the first attribute trust scores to an attribute threshold value to determine whether each attribute of the first set of security attributes is a trustworthy attribute; 
 adjusting at least one score of the first attribute trust scores by one or more weights; 
 based on the comparing, adjusting at least one score of the first attribute trust scores; and 
 summing each score of the first attribute trust scores. 
 
     
     
       20. The computer system of  claim 17 , wherein the first container is instantiated from a container image, the method further comprising, prior to the computing the first attribute trust scores, obtaining one or more signatures located within the container image, and wherein the computing the first attribute trust scores is performed using at least one of the one or more signatures or packet transmission information.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.